diff --git a/SOURCES/lzo-2.06-CVE-2014-4607.patch b/SOURCES/lzo-2.06-CVE-2014-4607.patch new file mode 100644 index 00000000..d22c406e --- /dev/null +++ b/SOURCES/lzo-2.06-CVE-2014-4607.patch @@ -0,0 +1,245 @@ +diff --git a/minilzo/minilzo.c b/minilzo/minilzo.c +index 34ce0f0..ecfdf66 100644 +--- a/minilzo/minilzo.c ++++ b/minilzo/minilzo.c +@@ -3547,6 +3547,8 @@ DO_COMPRESS ( const lzo_bytep in , lzo_uint in_len, + #undef TEST_LBO + #undef NEED_IP + #undef NEED_OP ++#undef TEST_IV ++#undef TEST_OV + #undef HAVE_TEST_IP + #undef HAVE_TEST_OP + #undef HAVE_NEED_IP +@@ -3561,6 +3563,7 @@ DO_COMPRESS ( const lzo_bytep in , lzo_uint in_len, + # if (LZO_TEST_OVERRUN_INPUT >= 2) + # define NEED_IP(x) \ + if ((lzo_uint)(ip_end - ip) < (lzo_uint)(x)) goto input_overrun ++# define TEST_IV(x) if ((x) > (lzo_uint)0 - (511)) goto input_overrun + # endif + #endif + +@@ -3572,6 +3575,7 @@ DO_COMPRESS ( const lzo_bytep in , lzo_uint in_len, + # undef TEST_OP + # define NEED_OP(x) \ + if ((lzo_uint)(op_end - op) < (lzo_uint)(x)) goto output_overrun ++# define TEST_OV(x) if ((x) > (lzo_uint)0 - (511)) goto output_overrun + # endif + #endif + +@@ -3602,11 +3606,13 @@ DO_COMPRESS ( const lzo_bytep in , lzo_uint in_len, + # define HAVE_NEED_IP 1 + #else + # define NEED_IP(x) ((void) 0) ++# define TEST_IV(x) ((void) 0) + #endif + #if defined(NEED_OP) + # define HAVE_NEED_OP 1 + #else + # define NEED_OP(x) ((void) 0) ++# define TEST_OV(x) ((void) 0) + #endif + + #if defined(HAVE_TEST_IP) || defined(HAVE_NEED_IP) +@@ -3687,6 +3693,7 @@ DO_DECOMPRESS ( const lzo_bytep in , lzo_uint in_len, + { + t += 255; + ip++; ++ TEST_IV(t); + NEED_IP(1); + } + t += 15 + *ip++; +@@ -3835,6 +3842,7 @@ match: + { + t += 255; + ip++; ++ TEST_OV(t); + NEED_IP(1); + } + t += 31 + *ip++; +@@ -3879,6 +3887,7 @@ match: + { + t += 255; + ip++; ++ TEST_OV(t); + NEED_IP(1); + } + t += 7 + *ip++; +@@ -4073,6 +4082,8 @@ lookbehind_overrun: + #undef TEST_LBO + #undef NEED_IP + #undef NEED_OP ++#undef TEST_IV ++#undef TEST_OV + #undef HAVE_TEST_IP + #undef HAVE_TEST_OP + #undef HAVE_NEED_IP +@@ -4087,6 +4098,7 @@ lookbehind_overrun: + # if (LZO_TEST_OVERRUN_INPUT >= 2) + # define NEED_IP(x) \ + if ((lzo_uint)(ip_end - ip) < (lzo_uint)(x)) goto input_overrun ++# define TEST_IV(x) if ((x) > (lzo_uint)0 - (511)) goto input_overrun + # endif + #endif + +@@ -4098,6 +4110,7 @@ lookbehind_overrun: + # undef TEST_OP + # define NEED_OP(x) \ + if ((lzo_uint)(op_end - op) < (lzo_uint)(x)) goto output_overrun ++# define TEST_OV(x) if ((x) > (lzo_uint)0 - (511)) goto output_overrun + # endif + #endif + +@@ -4128,11 +4141,13 @@ lookbehind_overrun: + # define HAVE_NEED_IP 1 + #else + # define NEED_IP(x) ((void) 0) ++# define TEST_IV(x) ((void) 0) + #endif + #if defined(NEED_OP) + # define HAVE_NEED_OP 1 + #else + # define NEED_OP(x) ((void) 0) ++# define TEST_OV(x) ((void) 0) + #endif + + #if defined(HAVE_TEST_IP) || defined(HAVE_NEED_IP) +@@ -4213,6 +4228,7 @@ DO_DECOMPRESS ( const lzo_bytep in , lzo_uint in_len, + { + t += 255; + ip++; ++ TEST_IV(t); + NEED_IP(1); + } + t += 15 + *ip++; +@@ -4361,6 +4377,7 @@ match: + { + t += 255; + ip++; ++ TEST_OV(t); + NEED_IP(1); + } + t += 31 + *ip++; +@@ -4405,6 +4422,7 @@ match: + { + t += 255; + ip++; ++ TEST_OV(t); + NEED_IP(1); + } + t += 7 + *ip++; +diff --git a/src/lzo1_d.ch b/src/lzo1_d.ch +index 40a5bfd..c442d9c 100644 +--- a/src/lzo1_d.ch ++++ b/src/lzo1_d.ch +@@ -76,6 +76,8 @@ + #undef TEST_LBO + #undef NEED_IP + #undef NEED_OP ++#undef TEST_IV ++#undef TEST_OV + #undef HAVE_TEST_IP + #undef HAVE_TEST_OP + #undef HAVE_NEED_IP +@@ -91,6 +93,7 @@ + # if (LZO_TEST_OVERRUN_INPUT >= 2) + # define NEED_IP(x) \ + if ((lzo_uint)(ip_end - ip) < (lzo_uint)(x)) goto input_overrun ++# define TEST_IV(x) if ((x) > (lzo_uint)0 - (511)) goto input_overrun + # endif + #endif + +@@ -102,6 +105,7 @@ + # undef TEST_OP /* don't need both of the tests here */ + # define NEED_OP(x) \ + if ((lzo_uint)(op_end - op) < (lzo_uint)(x)) goto output_overrun ++# define TEST_OV(x) if ((x) > (lzo_uint)0 - (511)) goto output_overrun + # endif + #endif + +@@ -135,11 +139,13 @@ + # define HAVE_NEED_IP 1 + #else + # define NEED_IP(x) ((void) 0) ++# define TEST_IV(x) ((void) 0) + #endif + #if defined(NEED_OP) + # define HAVE_NEED_OP 1 + #else + # define NEED_OP(x) ((void) 0) ++# define TEST_OV(x) ((void) 0) + #endif + + +diff --git a/src/lzo1b_d.ch b/src/lzo1b_d.ch +index fe5f361..36b4b6b 100644 +--- a/src/lzo1b_d.ch ++++ b/src/lzo1b_d.ch +@@ -187,6 +187,7 @@ match: + { + t += 255; + ip++; ++ TEST_OV(t); + NEED_IP(1); + } + t += (M4_MIN_LEN - M3_MIN_LEN) + *ip++; +diff --git a/src/lzo1f_d.ch b/src/lzo1f_d.ch +index 9e942f5..0c2199e 100644 +--- a/src/lzo1f_d.ch ++++ b/src/lzo1f_d.ch +@@ -84,6 +84,7 @@ DO_DECOMPRESS ( const lzo_bytep in , lzo_uint in_len, + { + t += 255; + ip++; ++ TEST_IV(t); + NEED_IP(1); + } + t += 31 + *ip++; +@@ -138,6 +139,7 @@ match: + { + t += 255; + ip++; ++ TEST_OV(t); + NEED_IP(1); + } + t += 31 + *ip++; +diff --git a/src/lzo1x_d.ch b/src/lzo1x_d.ch +index 49cf326..c804cc7 100644 +--- a/src/lzo1x_d.ch ++++ b/src/lzo1x_d.ch +@@ -120,6 +120,7 @@ DO_DECOMPRESS ( const lzo_bytep in , lzo_uint in_len, + { + t += 255; + ip++; ++ TEST_IV(t); + NEED_IP(1); + } + t += 15 + *ip++; +@@ -273,6 +274,7 @@ match: + { + t += 255; + ip++; ++ TEST_OV(t); + NEED_IP(1); + } + t += 31 + *ip++; +@@ -317,6 +319,7 @@ match: + { + t += 255; + ip++; ++ TEST_OV(t); + NEED_IP(1); + } + t += 7 + *ip++; +diff --git a/src/lzo2a_d.ch b/src/lzo2a_d.ch +index 48e51ca..954f07e 100644 +--- a/src/lzo2a_d.ch ++++ b/src/lzo2a_d.ch +@@ -131,6 +131,7 @@ DO_DECOMPRESS ( const lzo_bytep in , lzo_uint in_len, + { + t += 255; + ip++; ++ TEST_OV(t); + NEED_IP(1); + } + t += *ip++; diff --git a/SOURCES/lzo-2.06-configure.patch b/SOURCES/lzo-2.06-configure.patch new file mode 100644 index 00000000..44ae20d9 --- /dev/null +++ b/SOURCES/lzo-2.06-configure.patch @@ -0,0 +1,24 @@ +diff -Naur lzo-2.06/configure lzo-2.06.configure/configure +--- lzo-2.06/configure 2011-08-12 21:32:59.000000000 +0530 ++++ lzo-2.06.configure/configure 2011-09-14 12:33:41.151087816 +0530 +@@ -12964,7 +12964,7 @@ + asm_msg_amd64=no + asm_msg_i386=no + +-case "$host_cpu-$ac_cv_sizeof_void_p" in ++case "$target_cpu-$ac_cv_sizeof_void_p" in + amd64-8 | x86_64-8) asm_arch="amd64"; asm_dir="asm/amd64/src_gas/elf64"; asm_mode="amd64_src_gas_elf64" ;; + i?86-4) asm_arch="i386"; asm_dir="asm/i386/src_gas"; asm_mode="i386_src_gas" ;; + *) enable_asm=no ;; +diff -Naur lzo-2.06/configure.ac lzo-2.06.configure/configure.ac +--- lzo-2.06/configure.ac 2011-08-12 21:32:59.000000000 +0530 ++++ lzo-2.06.configure/configure.ac 2011-09-14 12:33:31.851087334 +0530 +@@ -123,7 +123,7 @@ + asm_msg_amd64=no + asm_msg_i386=no + +-case "$host_cpu-$ac_cv_sizeof_void_p" in ++case "$target_cpu-$ac_cv_sizeof_void_p" in + amd64-8 | x86_64-8) asm_arch="amd64"; asm_dir="asm/amd64/src_gas/elf64"; asm_mode="amd64_src_gas_elf64" ;; + i?86-4) asm_arch="i386"; asm_dir="asm/i386/src_gas"; asm_mode="i386_src_gas" ;; + *) enable_asm=no ;; diff --git a/SPECS/lzo.spec b/SPECS/lzo.spec new file mode 100644 index 00000000..afe69e39 --- /dev/null +++ b/SPECS/lzo.spec @@ -0,0 +1,191 @@ +Name: lzo +Version: 2.06 +Release: 8%{?dist} +Summary: Data compression library with very fast (de)compression +Group: System Environment/Libraries +License: GPLv2+ +URL: http://www.oberhumer.com/opensource/lzo/ +Source0: http://www.oberhumer.com/opensource/lzo/download/%{name}-%{version}.tar.gz +Patch0: lzo-2.06-configure.patch +Patch1: lzo-2.06-CVE-2014-4607.patch +BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) +BuildRequires: zlib-devel + +%description +LZO is a portable lossless data compression library written in ANSI C. +It offers pretty fast compression and very fast decompression. +Decompression requires no memory. In addition there are slower +compression levels achieving a quite competitive compression ratio +while still decompressing at this very high speed. + + +%package minilzo +Summary: Mini version of lzo for apps which don't need the full version +Group: System Environment/Libraries + +%description minilzo +A small (mini) version of lzo for embedding into applications which don't need +full blown lzo compression support. + + +%package devel +Summary: Development files for the lzo library +Group: Development/Libraries +Requires: %{name} = %{version}-%{release} +Requires: %{name}-minilzo = %{version}-%{release} +Requires: zlib-devel + +%description devel +LZO is a portable lossless data compression library written in ANSI C. +It offers pretty fast compression and very fast decompression. +This package contains development files needed for lzo. + + +%prep +%setup -q +%patch0 -p1 -z .configure +%patch1 -p1 -b .CVE-2014-4607 +# mark asm files as NOT needing execstack +for i in asm/i386/src_gas/*.S; do + echo '.section .note.GNU-stack,"",@progbits' >> $i +done + + +%build +%configure --disable-dependency-tracking --disable-static --enable-shared +make %{?_smp_mflags} CFLAGS="%{optflags} -fno-strict-aliasing" +# build minilzo too (bz 439979) +gcc %{optflags} -fno-strict-aliasing -fpic -Iinclude/lzo -o minilzo/minilzo.o -c minilzo/minilzo.c +gcc -g -shared -o libminilzo.so.0 -Wl,-soname,libminilzo.so.0 minilzo/minilzo.o + + +%install +rm -rf $RPM_BUILD_ROOT +make install DESTDIR=$RPM_BUILD_ROOT INSTALL="install -p" +find $RPM_BUILD_ROOT -name '*.la' -exec rm -f {} ';' +install -m 755 libminilzo.so.0 $RPM_BUILD_ROOT%{_libdir} +ln -s libminilzo.so.0 $RPM_BUILD_ROOT%{_libdir}/libminilzo.so +install -p -m 644 minilzo/minilzo.h $RPM_BUILD_ROOT%{_includedir}/lzo + +#Remove doc +rm -rf $RPM_BUILD_ROOT%{_datadir}/doc/lzo + +%check +make check test + + +%clean +rm -rf $RPM_BUILD_ROOT + + +%post -p /sbin/ldconfig + +%postun -p /sbin/ldconfig + +%post minilzo -p /sbin/ldconfig + +%postun minilzo -p /sbin/ldconfig + + +%files +%defattr(-,root,root,-) +%doc AUTHORS COPYING THANKS NEWS +%{_libdir}/liblzo2.so.* + +%files minilzo +%defattr(-,root,root,-) +%doc minilzo/README.LZO +%{_libdir}/libminilzo.so.0 + +%files devel +%defattr(-,root,root,-) +%doc doc/LZOAPI.TXT doc/LZO.FAQ doc/LZO.TXT +%{_includedir}/lzo +%{_libdir}/lib*lzo*.so + + +%changelog +* Wed Jul 2 2014 Jaroslav Škarvada - 2.06-8 +- Built with -fno-strict-aliasing (rpmdiff) + Related: CVE-2014-4607 + +* Mon Jun 30 2014 Jaroslav Škarvada - 2.06-7 +- Fixed integer overflow in decompressor + Resolves: CVE-2014-4607 + +* Fri Jan 24 2014 Daniel Mach - 2.06-6 +- Mass rebuild 2014-01-24 + +* Fri Dec 27 2013 Daniel Mach - 2.06-5 +- Mass rebuild 2013-12-27 + +* Thu Feb 14 2013 Fedora Release Engineering - 2.06-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild + +* Thu Jul 19 2012 Fedora Release Engineering - 2.06-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Fri Jan 13 2012 Fedora Release Engineering - 2.06-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild + +* Wed Sep 14 2011 Huzaifa Sidhpurwala - 2.06-1 +- Upgrade to latest upstream +- Apply patch from Nicolas Chauvet + +* Tue Feb 08 2011 Fedora Release Engineering - 2.03-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Sat Jul 25 2009 Fedora Release Engineering - 2.03-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild + +* Wed Feb 25 2009 Fedora Release Engineering - 2.03-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild + +* Thu May 1 2008 Lubomir Rintel 2.03-1 +- New upstream release +- Changed the license to GPLv2+ + +* Wed Apr 2 2008 Hans de Goede 2.02-5 +- Fix configure failure with -Werror-implicit-function-declaration in CFLAGS +- Add a minilzo subpackage which contains a shared version of minilzo, to be + used by all applications which ship with their own copy of it (bz 439979) + +* Tue Feb 19 2008 Fedora Release Engineering - 2.02-4 +- Autorebuild for GCC 4.3 + +* Wed Aug 15 2007 Hans de Goede 2.02-3 +- Update License tag for new Licensing Guidelines compliance + +* Mon Aug 28 2006 Hans de Goede 2.02-2 +- FE6 Rebuild + +* Wed Jul 26 2006 Hans de Goede 2.02-1 +- New upstream release 2.02, soname change! + +* Mon Jul 24 2006 Hans de Goede 1.08-7 +- Taking over as maintainer since Anvil has other priorities +- Add a patch to fix asm detection on i386 (bug 145882, 145893). Thanks to + Carlo Marcelo Arenas Belon for the initial patch. +- Removed unused build dependency on nasm +- Remove static lib +- Cleanup %%doc a bit + +* Thu Mar 16 2006 Dams - 1.08-6.fc5 +- Rebuild for new gcc + +* Tue Jan 17 2006 Dams - 1.08-5.fc5 +- Bumped release for gcc 4.1 rebuild + +* Sun May 22 2005 Jeremy Katz - 1.08-4 +- rebuild on all arches + +* Fri Apr 7 2005 Michael Schwendt +- rebuilt + +* Sun Apr 27 2003 Dams 0:1.08-0.fdr.2 +- Typo un devel description +- Added post and postun scriptlets +- Added URL in Source0 + +* Fri Apr 25 2003 Dams +- Initial build.